sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

r11573: Adding Andrew Bartlett's patch to make machine account

Browse Source 
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef8663)
This commit is contained in:
Jeremy Allison 2005-11-08 06:19:34 +00:00 committed by Gerald (Jerry) Carter
parent c3d673e571
commit fcceedd67c
15 changed files with 92 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
source3/auth/auth_domain.c
View File

@ -218,15 +218,16 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
*/
nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
mem_ctx,
dc_name, /* server name */
user_info->smb_name.str, /* user name logging on. */
user_info->domain.str, /* domain name */
user_info->wksta_name.str, /* workstation name */
chal, /* 8 byte challenge. */
user_info->lm_resp, /* lanman 24 byte response */
user_info->nt_resp, /* nt 24 byte response */
&info3); /* info3 out */
mem_ctx,
user_info->logon_parameters,/* flags such as 'allow workstation logon' */
dc_name, /* server name */
user_info->smb_name.str, /* user name logging on. */
user_info->domain.str, /* domain name */
user_info->wksta_name.str, /* workstation name */
chal, /* 8 byte challenge. */
user_info->lm_resp, /* lanman 24 byte response */
user_info->nt_resp, /* nt 24 byte response */
&info3); /* info3 out */
/* Let go as soon as possible so we avoid any potential deadlocks
with winbind lookup up users or groups. */

2
source3/auth/auth_ntlmssp.c
View File

@ -101,6 +101,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
NULL, NULL, NULL,
True);
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}

15
source3/auth/auth_sam.c
View File

@ -208,15 +208,18 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
}
if (acct_ctrl & ACB_SVRTRUST) {
DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}
}
if (acct_ctrl & ACB_WSTRUST) {
DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
}
}
return NT_STATUS_OK;
}

15
source3/auth/auth_util.c
View File

@ -164,6 +164,8 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
(*user_info)->encrypted = encrypted;
(*user_info)->logon_parameters = 0;
DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
return NT_STATUS_OK;
@ -223,6 +225,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
uint32 logon_parameters,
const uchar *lm_network_pwd, int lm_pwd_len,
const uchar *nt_network_pwd, int nt_pwd_len)
{
@ -238,9 +241,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
True);
if (NT_STATUS_IS_OK(nt_status)) {
(*user_info)->logon_parameters = logon_parameters;
}
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
data_blob_free(&lm_blob);
data_blob_free(&nt_blob);
return ret;
@ -255,6 +261,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
const uchar nt_interactive_pwd[16],
@ -337,6 +344,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
NULL,
True);
if (NT_STATUS_IS_OK(nt_status)) {
(*user_info)->logon_parameters = logon_parameters;
}
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
data_blob_free(&local_lm_blob);
data_blob_free(&local_nt_blob);

2
source3/auth/auth_winbind.c
View File

@ -88,6 +88,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
request.flags = WBFLAG_PAM_INFO3_NDR;
request.data.auth_crap.logon_parameters = user_info->logon_parameters;
fstrcpy(request.data.auth_crap.user,
user_info->smb_name.str);
fstrcpy(request.data.auth_crap.domain,

18
source3/include/auth.h
View File

@ -21,15 +21,12 @@
*/
/* AUTH_STR - string */
typedef struct normal_string
{
typedef struct normal_string {
int len;
char *str;
} AUTH_STR;
typedef struct auth_usersupplied_info
{
typedef struct auth_usersupplied_info {
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
DATA_BLOB lm_interactive_pwd;
@ -44,6 +41,8 @@ typedef struct auth_usersupplied_info
AUTH_STR smb_name; /* username before mapping */
AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */
uint32 logon_parameters;
} auth_usersupplied_info;
#define SAM_FILL_NAME 0x01
@ -52,8 +51,7 @@ typedef struct auth_usersupplied_info
#define SAM_FILL_UNIX 0x08
#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
typedef struct auth_serversupplied_info
{
typedef struct auth_serversupplied_info {
BOOL guest;
uid_t uid;
@ -144,14 +142,14 @@ struct auth_init_function_entry {
struct auth_init_function_entry *prev, *next;
};
typedef struct auth_ntlmssp_state
{
typedef struct auth_ntlmssp_state {
TALLOC_CTX *mem_ctx;
struct auth_context *auth_context;
struct auth_serversupplied_info *server_info;
struct ntlmssp_state *ntlmssp_state;
} AUTH_NTLMSSP_STATE;
#define AUTH_INTERFACE_VERSION 1
/* Changed from 1 -> 2 to add the logon_parameters field. */
#define AUTH_INTERFACE_VERSION 2
#endif /* _SMBAUTH_H_ */

5
source3/include/libsmbclient.h
View File

@ -339,6 +339,11 @@ typedef int (*smbc_remove_cached_srv_fn)(SMBCCTX * c, SMBCSRV *srv);
typedef int (*smbc_purge_cached_fn) (SMBCCTX * c);
/* close was renamed to close_fn, because close is often a macro.
* Allow backward compatability where this is not the case */
#ifndef close
#define close close_fn
#endif
/**@ingroup structure

3
source3/include/rpc_netlogon.h
View File

@ -95,6 +95,9 @@
#define SE_GROUP_LOGON_ID 0xC0000000
#define SE_GROUP_RESOURCE 0x20000000
/* Flags for controlling the behaviour of a particular logon */
#define MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT ( 0x020 )
#define MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT ( 0x800 )
#if 0
/* I think this is correct - it's what gets parsed on the wire. JRA. */

2
source3/nsswitch/wbinfo.c
View File

@ -630,6 +630,8 @@ static BOOL wbinfo_auth_crap(char *username)
parse_wbinfo_domain_user(username, name_domain, name_user);
request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
fstrcpy(request.data.auth_crap.user, name_user);
fstrcpy(request.data.auth_crap.domain,

1
source3/nsswitch/winbindd_nss.h
View File

@ -202,6 +202,7 @@ struct winbindd_request {
} auth; /* pam_winbind auth module */
struct {
unsigned char chal[8];
uint32 logon_parameters;
fstring user;
fstring domain;
fstring lm_resp;

38
source3/nsswitch/winbindd_pam.c
View File

@ -343,15 +343,16 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
state->mem_ctx,
contact_domain->dcname, /* server name */
name_user, /* user name */
name_domain, /* target domain */
global_myname(), /* workstation */
chal,
lm_resp,
nt_resp,
&info3);
state->mem_ctx,
0,
contact_domain->dcname, /* server name */
name_user, /* user name */
name_domain, /* target domain */
global_myname(), /* workstation */
chal,
lm_resp,
nt_resp,
&info3);
attempts += 1;
/* We have to try a second time as cm_connect_netlogon
@ -624,15 +625,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
state->mem_ctx,
contact_domain->dcname,
name_user,
name_domain,
global_myname(),
state->request.data.auth_crap.chal,
lm_resp,
nt_resp,
&info3);
state->mem_ctx,
state->request.data.auth_crap.logon_parameters,
contact_domain->dcname,
name_user,
name_domain,
global_myname(),
state->request.data.auth_crap.chal,
lm_resp,
nt_resp,
&info3);
attempts += 1;

18
source3/rpc_client/cli_netlogon.c
View File

@ -528,11 +528,12 @@ NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem
/* Logon domain user */
NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *domain,
const char *username,
const char *password,
int logon_type)
TALLOC_CTX *mem_ctx,
uint32 logon_parameters,
const char *domain,
const char *username,
const char *password,
int logon_type)
{
prs_struct qbuf, rbuf;
NET_Q_SAM_LOGON q;
@ -566,7 +567,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
init_id_info1(&ctr.auth.id1, domain,
0, /* param_ctrl */
logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, clnt_name_slash,
(const char *)cli->dc->sess_key, lm_owf_user_pwd,
@ -585,7 +586,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
SMBNTencrypt(password, chal, local_nt_response);
init_id_info2(&ctr.auth.id2, domain,
0, /* param_ctrl */
logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, clnt_name_slash, chal,
local_lm_response, 24, local_nt_response, 24);
@ -636,6 +637,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
uint32 logon_parameters,
const char *server,
const char *username,
const char *domain,
@ -688,7 +690,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
ctr.switch_value = NET_LOGON_TYPE;
init_id_info2(&ctr.auth.id2, domain,
0, /* param_ctrl */
logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, workstation_name_slash, (const uchar*)chal,
lm_response.data, lm_response.length, nt_response.data, nt_response.length);

5
source3/rpc_server/srv_netlog_nt.c
View File

@ -695,6 +695,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
if (!make_user_info_netlogon_network(&user_info,
nt_username, nt_domain,
wksname,
ctr->auth.id2.param_ctrl,
ctr->auth.id2.lm_chal_resp.buffer,
ctr->auth.id2.lm_chal_resp.str_str_len,
ctr->auth.id2.nt_chal_resp.buffer,
@ -719,7 +720,9 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
if (!make_user_info_netlogon_interactive(&user_info,
nt_username, nt_domain,
nt_workstation, chal,
nt_workstation,
ctr->auth.id1.param_ctrl,
chal,
ctr->auth.id1.lm_owf.data,
ctr->auth.id1.nt_owf.data,
p->dc->sess_key)) {

2
source3/rpcclient/cmd_netlogon.c
View File

@ -272,7 +272,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
/* Perform the sam logon */
result = rpccli_netlogon_sam_logon(cli, mem_ctx, lp_workgroup(), username, password, logon_type);
result = rpccli_netlogon_sam_logon(cli, mem_ctx, 0, lp_workgroup(), username, password, logon_type);
if (!NT_STATUS_IS_OK(result))
goto done;

2
source3/utils/ntlm_auth.c
View File

@ -323,6 +323,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
request.flags = flags;
request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
if (require_membership_of_sid)
fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);